On 10/26/2010 10:39 PM, Bruno Wolff III wrote: > On Tue, Oct 26, 2010 at 14:07:53 -0700, > Jesse Keating <jkeating@xxxxxxxxxx> wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> >> That's only if you give root the right to disable or load new selinux >> policy. > > And the policy is tight enough. You need to not allow root shells or most > processes the ability to read the keys out of memory or to write memory > that will change how things work. I don't think targeted policy is locked > down enough to stop that even if you don't allow root to disble selinux. > >> Seriously, there are machines on the public Internet with a published >> root account. You're welcome to log in and try to do anything with them. > > Yeah, I know about one guy that offers a root password if you ask. I am > not sure what policy he is running on that machine. It's Russell Coker, access details are available here: http://www.coker.com.au/selinux/play.html However the pages haven't been updated in a while and the service seems to be down right now. Regards, Bryn. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
